U.S. patent application number 12/222722 was filed with the patent office on 2009-03-26 for system and method for providing bandwidth signaling across cryptographic boundaries in a network.
Invention is credited to Frank Dell Kronewitter, III, Bong K. Ryu.
Application Number | 20090080460 12/222722 |
Document ID | / |
Family ID | 40471515 |
Filed Date | 2009-03-26 |
United States Patent
Application |
20090080460 |
Kind Code |
A1 |
Kronewitter, III; Frank Dell ;
et al. |
March 26, 2009 |
System and method for providing bandwidth signaling across
cryptographic boundaries in a network
Abstract
The use of Protocol Enhancing Proxies (PEPs) and HAIPE
encryption has traditionally been mutually exclusive. IP-layer
encryption renders the upper layers, such as TCP, unavailable to
the PEP. By integrating the IP layer encryption into the modem and
using additive or multiplicative increase and decrease signals as
bandwidth notification, signaling is provided across the
cryptographic boundary to support the use of a bandwidth aware PEP
in a network protected by IP-layer encryption.
Inventors: |
Kronewitter, III; Frank Dell;
(San Diego, CA) ; Ryu; Bong K.; (Poway,
CA) |
Correspondence
Address: |
DUANE MORRIS LLP
Suite 1000, 505 9th Street, N.W.
Washington
DC
20004
US
|
Family ID: |
40471515 |
Appl. No.: |
12/222722 |
Filed: |
August 14, 2008 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
60935452 |
Aug 14, 2007 |
|
|
|
Current U.S.
Class: |
370/466 |
Current CPC
Class: |
H04L 47/193 20130101;
H04L 47/2491 20130101; H04L 69/08 20130101; H04L 69/163 20130101;
H04L 69/16 20130101; H04L 47/10 20130101; H04L 47/33 20130101; H04L
63/0428 20130101; H04L 63/164 20130101; H04L 69/169 20130101 |
Class at
Publication: |
370/466 |
International
Class: |
H04J 3/22 20060101
H04J003/22 |
Claims
1. A method of communicating in a communication system having a
first network having a first host sourcing plain text information
and a second host receiving plain text information, and a second
network for encrypting the plain text information between the first
and second host, comprising the steps of: (a) monitoring the
available bandwidth in the second network; (b) transmitting a
message from second network to the first network indicating the
available bandwidth; (c) translating a message formatted for the
first network to a format for the second network as a function of
the available bandwidth.
2. The method of claim 1 further comprising the step of in the
first network, maintaining an estimate of the available bandwidth
in the second network.
3. The method of claim 1 wherein the first network utilizes TCP and
the second network utilizes one of Space Communication Protocol
Standards Transport Layer (SCPS-TX) and Xpress Transport Protocol
(XTP).
4. The method of claim 1 wherein the step of transmitting includes
sending Explicit Congestion Notification (ECN) bits.
5. The method of claim 4 wherein the ECN contains two bits
representing four levels of signaling.
6. The method of claim 5 wherein the four levels of signaling
comprises multiplicative increase, multiplicative decrease,
additive increase, and additive decrease.
7. The method of claim 6 wherein multiplicative increase indicates
increase bandwidth 100%, multiplicative decrease indicates decrease
bandwidth to zero, additive increase indicates increase bandwidth
50 kbps, and additive decrease indicates decrease bandwidth 50
kbps.
8. The method of claim 1 wherein the step of translating is
performed by a protocol enhancing proxy.
9. A communication system having a first network having a first
host sourcing plain text information and a second host receiving
plain text information, and a second network for encrypting the
plain text information between the first and second host,
comprising: a protocol enhancing proxy in the first network for
converting communications in a format for the first network to a
format for the second network; an IP encryptor in communication
with the PEP for converting plain text information to encrypted
information; a bandwidth agent in the second network in
communication with the PEP for providing an indication of the
available bandwidth in the second network.
10. The system of claim 9 wherein the bandwidth agent transmits ECN
bits to the PEP to indicate the available bandwidth.
11. The system of claim 9 wherein the PEP maintains an estimate of
the available bandwidth in the second network.
12. The system of claim 9 wherein the PEP converts the
communications as a function of the available bandwidth.
13. The system of claim 9 wherein the first network utilizes TCP
and the second network utilizes one of Space Communication Protocol
Standards Transport Layer (SCPS-TX) and Xpress Transport Protocol
(XTP).
14. The system of claim 9 wherein the first network is a
terrestrial communications system, and the second network is a
satellite communications system.
15. The system of claim 9 wherein the first and second networks are
wireless networks.
16. The system of claim 9 wherein the first and second networks are
wireline networks.
17. The system of claim 9 wherein one of the networks is wireline
and the other network is wireless.
Description
[0001] This application claims the priority of U.S. Patent
Application Ser. No. 60/935,452 filed Aug. 14, 2007, the disclosure
of which is incorporated by reference herein.
[0002] The present disclosure is directed to the field of computer
networking, especially over high latency links such as those
associated with satellite communications. This disclosure, in
particular, relates to the use of cryptographic security mechanisms
such as IP-layer encryptors with upper layer performance enhancing
proxies over such communication links. Network environments
benefiting the most from this invention will be those containing
bandwidth-on-demand components.
BACKGROUND
[0003] In a communication network, hosts communicate by sending and
receiving packets to each other. This communication may include
many different types of physical medium including short copper
wires and long geosynchronous satellite links. Network devices
which transport packets typically operate transparently from the
end hosts so that network devices may be added and removed without
modifying the host users of the network.
[0004] It is often desirable to secure data from unauthorized
persons who may be attempting to eavesdrop on the data. Defense
networks may contain potentially damaging military information.
Users of public networks may transmit personal or financial data
which may be exploited for criminal use.
[0005] Encryption is a useful technique to provide security in a
public communication network. The sender encrypts data making the
data unavailable to potential interceptors and the receiver
decrypts the data recovering the original message. Network
encryption may occur at various levels throughout the OSI stack
including link layer (layer 2), such as classic ATM encryptors; the
transport layer (layer 4), such as Secure Socket Layer; or IP
network layer (layer 3), such as High Assurance Internet Protocol
Encryption (HAIPE). HAIPE is used by the Department of Defense and
is based on Internet Protocol Security (IPsec), a standard defined
by the Internet Engineering Task Force (IETF). HAIPE devices
provide cryptographic isolation between private networks, referred
to as secured security enclaves in the HAIPE terminology. When the
data is encrypted, upper layer protocol headers such as TCP and
secure enclave IP addresses are converted to cipher text and
rendered unavailable in the shared transit network. Network
security specialists refer to the secure network as Plain Text or
red and the transit, encrypted network as Cipher Text or black.
[0006] In a network containing high latency, dynamic bandwidth
links, protocol acceleration techniques have been shown to be
useful, especially for TCP. One popular technique is the spoofing
of network data with a protocol enhancing proxy (PEP). The PEP may
employ a protocol optimized for satellite links such as Space
Communication Protocol Standards Transport Layer (SCPS-TP) or
Xpress Transport Protocol (XTP). For a PEP to work well over a
dynamic bandwidth link, the current bandwidth available over the
backbone link must be known.
[0007] Currently, the network device which knows the current
bandwidth resides in the encrypted network since it must be the
last device without an RF interface. However, for the PEP software
to work it must have access to upper layer header information and
so must reside in the unencrypted network. Thus, the PEP typically
could not be used with IP layer encryptors because the PEP did not
receive bandwidth information across the cryptographic boundary.
Signaling the bandwidth data across the cryptographic boundary is
the problem which is addressed in the current disclosure.
SUMMARY
[0008] The present disclosure provides a mechanism to improve
Performance Enhancing Proxies (PEPs) when deployed with IP-layer
encryptors in a dynamic bandwidth environment. The present
disclosure exploits the allowed exchange of signaling across a
shared transit environment to a secured network enclave boundary.
In one embodiment, ECN bits which typically can be passed through
from black side to red side, are used to signal bandwidth across
the cryptographic boundary to provide the PEP with access to the
current bandwidth available which eliminates the need for ad-hoc
bandwidth probing techniques and their associated lag.
BRIEF DESCRIPTION OF THE DRAWINGS
[0009] These and other aspects will now be described in detail with
reference to the following drawings.
[0010] FIG. 1 is a simplified pictorial illustration of a prior art
deployment of IP-layer encryptors to enable secure transmissions
over an insecure or public network.
[0011] FIG. 2 is a simplified pictorial illustration of a prior art
deployment of Performance Enhancing Proxies (PEPs) with a satellite
link to enhance the performance of TCP connections passing through
the satellite.
[0012] FIG. 3 is a simplified pictorial representation of a prior
art deployment of Performance Enhancing Proxies (PEPs) with IP
layer encryptors around a satellite link to provide secure
communication and enhance the performance of TCP connections
passing through the satellite.
[0013] FIG. 4 is a simplified pictorial illustration of one
embodiment of the present disclosure depicting the signaling
occurring across the IP layer cryptographic boundary to support
Performance Enhancing Proxies (PEPs) deployed with IP layer
encryptors around a satellite link to provide secure communication
and enhance the performance of TCP connections passing through the
satellite.
[0014] Like reference symbols in the various drawings indicate like
elements.
DETAILED DESCRIPTION
[0015] FIG. 1 illustrates IP-layer encryptors deployed to enable
secure transmissions over an insecure or public network. Host 101
is a member of the private network 102. Private network 102 is
connected to a public network 104 through IP-layer encryptor 103.
Host 107 is a member of the private network 106. Private network
106 is connected to public network 104 through IP-layer encryptor
105. IP-layer encryptors 103 and 105 then provide secure packet
communication between private networks 106 and 102 over public
network 104.
[0016] FIG. 2 illustrates Protocol Enhancing Proxies used to
improve performance in reliable transport protocols over
communication channels. Packets transmitted between hosts 201 and
209 pass through private networks 202 and 208 which are connected
via satellite connection utilizing satellite 205. Satellite modems
204 and 206 provide IP layer transport for private networks 202 and
208 over satellite 205. On either side of the satellite connections
a protocol enhancing proxy (PEP) is placed so that TCP packets may
be translated to an alternative protocol more suitable for
satellite links such as SCPS-TP or XTP. The use of a network
protocol such as IP allows hosts 201 and 209 to communicate without
knowledge of the structure of the underlying network. The
introduction of a reliable upper layer protocol such as TCP
presents some problems since 201 and 209 must exchange packet
control information. By using PEPs at hosts 203 and 207, host 201
and 209 can use TCP connections 210 and 212 without knowing that a
different protocol 211 is being used over the high latency
satellite link. The PEPs at 203 and 207 are said to "split" the
connection between hosts 201 and 209. The splitting greatly
improves the performance of the TCP connection between hosts 201
and 209.
[0017] FIG. 3 contains an example of using PEP in an IP-layer
encryption environment. Hosts 301 and 311 wish to communicate
securely over satellite 306 accessed via satellite modems 305 and
307. A TCP connection between hosts 301 and 311 utilizes TCP
sections 312 and 314 as well as alternative protocol 313. PEP 303
lies in the plain text portion of the network 315 behind the
IP-layer encryptor 304. PEP 309 also lies in the plain text portion
of the network 317 behind IP-layer encryptor 308. The PEPs can be
used since they lie in the plain text portion of the network and
have access to TCP headers produced by hosts 301 and 311. Note that
a PEP could not operate in the cipher text portion of the network
316 since TCP header would not be available. This solution works
well in a static bandwidth satellite environment since the PEP may
be configured with the capacity of the satellite link. However, in
a dynamic bandwidth environment, the PEP in this prior art
deployment has no way of getting the currently available bandwidth
over the satellite connection. The PEP must use standard congestion
control techniques or some other awkward solution.
[0018] U.S. Pat. App. Pub. 2006/0256817 ("Durst") has proposed two
alternate solution to deploying PEPs with IP encryptors. In one
solution, IP-layer encryptors are deployed around PEPs to
effectively make the PEPs part of the secure network. However, such
a solution requires additional IP-layer encryptors thereby
increasing the overhead and may be impractical due to accessibility
of the PEPs or the costs involved. In another solution, Durst
suggests the use of PEP enablers to encapsulate the encrypted
packet header, and build a new header to allow the PEP to use TCP
on the encrypted packet. However, such a solution has the
disadvantage of increased overhead in that dual PEP are required to
be deployed around the IP layer encryptors.
[0019] FIG. 4 discloses one embodiment of a technique for signaling
bandwidth across the cryptographic boundaries enabling bandwidth
aware PEPs that does not require an increase in overhead as in
prior art solutions.
[0020] Explicit Congestion Notification (ECN) is a known signaling
technique using low bit rate transmission to provide notification
of congestion. A two bit ECN field is available for transmission by
IP-layer encryption devices across the cryptographic boundary. The
use of ECN bits for signaling applications, such as QoS, is known
as described in United States Patent App. Publication No.
20070076599.
[0021] In the present disclosure, the pre-existing ECN signaling is
used to indicate the available bandwidth to the PEP. Thus, ECN is
used in a way not previously contemplated or disclosed in the prior
art, and allows bandwidth information to be provided to PEPs when
using TCP. In one embodiment of the present disclosure, the two ECN
bits are associated with four signaling levels: multiplicative
increase, multiplicative decrease, additive increase, and additive
decrease. The PEP maintains an estimate of the currently available
bandwidth and the bandwidth agent on the black side adjusts this
estimate using the ECN signaling. Since the signaling only occurs
between two devices on the same side of the disadvantaged link, the
signaling is not required to be robust. The use of four signaling
levels is but one example, and it is contemplated that using more
or less than 4 signaling levels is fully encompassed by the present
disclosure.
[0022] With reference to FIG. 4, the present disclosure will be
described with reference to a satellite communications system.
Hosts 401 and 411 wish to communicate securely over satellite 406
accessed via satellite modems 405 and 407. A TCP connection between
hosts 401 and 411 is split by PEPs in the secure network utilizing
an alternative protocol over the satellite link. PEP 403 lies in
the plain text portion of the network 415 behind the IP-layer
encryptor 404. PEP 409 also lies in the plain text portion of the
network 417 behind IP-layer encryptor 408. The PEPs can be used
since they lie in the plain text portion of the network and have
access to TCP headers produced by hosts 401 and 411. In a dynamic
bandwidth environment the satellite modems 405 and 407 may have
access to a varying amount of bandwidth depending on the amount of
concurrent users of satellite 406 and the environmental factors
such as rain. An effective PEP at 403 must be aware of the
currently available bandwidth allocated to satellite modem 406. By
using the two ECN bits contained in the IP header of traffic
flowing through modem 405 toward network 402, regardless of whether
the traffic destination is 401 or not, the bandwidth agent in
device 405 can inform the PEP 403 of the currently available
bandwidth over satellite 406. PEP 403 maintains a current estimate
of the bandwidth over satellite 406 and the bandwidth agent in
device 405 modifies the estimate of PEP 403 by signaling additive
or multiplicative increases or decreases with the two ECN bits
which are typically copied from black data entering encryptor 404
from satellite modem 405 to red data exiting encryptor 404 to the
PEP 403. The bandwidth signaling occurs on the network portion 414.
In this manner the PEP 403 can be informed of the current bandwidth
available resulting in a more effective accelerator 403.
[0023] A similar scenario occurs with data moving from host 411 to
host 401. The bandwidth agent in satellite modem 407 marks black
packets destined for network 410 to signal the PEP 409 over network
portion 417. PEP 409 then uses these signals to estimate the
bandwidth over satellite 406.
[0024] FIG. 4 represents one embodiment of the present disclosure
in the satellite environment. However, the principals of the
present disclosure described herein are equally applicable to other
high latency environments which make the use of TCP problematic,
for example a wireless peer to peer network with intermittent
connectivity.
[0025] The ECN bits may be mapped to bandwidth availability as a
function of the communications environment, i.e., bandwidth
requirements, latency, etc. For example, Table 1 represents a
mapping in a satellite environment where a granularity of 50 kbps
is sufficient.
TABLE-US-00001 ECN bits Bits Description 00 2 Reduce current
bandwidth to 0 01 2 Reduce current bandwidth level 50 kbps 10 2
Increase current bandwidth level 50 kbps 11 2 Increase current
bandwidth level 100% over current level or set current bandwidth to
500 kbps if current bandwidth is 0.
[0026] The bandwidth agent in the modem can thus inform the PEP of
the currently available bandwidth over the satellite link through
multiple ECN bit pattern options and updates over time. Note that
an important aspect is rapid notification of large changes in
available bandwidth. Thus, the selection of the granularity of the
bandwidth availability is a function of the characteristic of the
communication environment.
[0027] Embodiments of the subject matter and the functional
operations described in this specification can be implemented in
digital electronic circuitry, or in computer software, firmware, or
hardware, including the structures disclosed in this specification
and their structural equivalents, or in combinations of one or more
of them. Embodiments of the subject matter described in this
specification can be implemented as one or more computer program
products, i.e., one or more modules of computer program
instructions encoded on a tangible program carrier for execution
by, or to control the operation of, data processing apparatus. The
tangible program carrier can be a propagated signal or a computer
readable medium. The propagated signal is an artificially generated
signal, e.g., a machine-generated electrical, optical, or
electromagnetic signal that is generated to encode information for
transmission to suitable receiver apparatus for execution by a
computer. The computer readable medium can be a machine-readable
storage device, a machine-readable storage substrate, a memory
device, a composition of matter affecting a machine-readable
propagated signal, or a combination of one or more of them.
[0028] The term "data processing apparatus" encompasses all
apparatus, devices, and machines for processing data, including by
way of example a programmable processor, a computer, or multiple
processors or computers. The apparatus can include, in addition to
hardware, code that creates an execution environment for the
computer program in question, e.g., code that constitutes processor
firmware, a protocol stack, a database management system, an
operating system, or a combination of one or more of them.
[0029] A computer program (also known as a program, software,
software application, script, or code) can be written in any form
of programming language, including compiled or interpreted
languages, or declarative or procedural languages, and it can be
deployed in any form, including as a stand alone program or as a
module, component, subroutine, or other unit suitable for use in a
computing environment. A computer program does not necessarily
correspond to a file in a file system. A program can be stored in a
portion of a file that holds other programs or data (e.g., one or
more scripts stored in a markup language document), in a single
file dedicated to the program in question, or in multiple
coordinated files (e.g., files that store one or more modules, sub
programs, or portions of code). A computer program can be deployed
to be executed on one computer or on multiple computers that are
located at one site or distributed across multiple sites and
interconnected by a communication network.
[0030] The processes and logic flows described in this
specification can be performed by one or more programmable
processors executing one or more computer programs to perform
functions by operating on input data and generating output. The
processes and logic flows can also be performed by, and apparatus
can also be implemented as, special purpose logic circuitry, e.g.,
an FPGA (field programmable gate array) or an ASIC (application
specific integrated circuit).
[0031] Processors suitable for the execution of a computer program
include, by way of example, both general and special purpose
microprocessors, and any one or more processors of any kind of
digital computer. Generally, a processor will receive instructions
and data from a read only memory or a random access memory or both.
The essential elements of a computer are a processor for performing
instructions and one or more memory devices for storing
instructions and data. Generally, a computer will also include, or
be operatively coupled to receive data from or transfer data to, or
both, one or more mass storage devices for storing data, e.g.,
magnetic, magneto optical disks, or optical disks. However, a
computer need not have such devices. Moreover, a computer can be
embedded in another device, e.g., a mobile telephone, a personal
digital assistant (PDA), a mobile audio or video player, a game
console, a Global Positioning System (GPS) receiver, to name just a
few.
[0032] Computer readable media suitable for storing computer
program instructions and data include all forms of non volatile
memory, media and memory devices, including by way of example
semiconductor memory devices, e.g., EPROM, EEPROM, and flash memory
devices; magnetic disks, e.g., internal hard disks or removable
disks; magneto optical disks; and CD ROM and DVD-ROM disks. The
processor and the memory can be supplemented by, or incorporated
in, special purpose logic circuitry.
[0033] To provide for interaction with a user, embodiments of the
subject matter described in this specification can be implemented
on a computer having a display device, e.g., a CRT (cathode ray
tube) or LCD (liquid crystal display) monitor, for displaying
information to the user and a keyboard and a pointing device, e.g.,
a mouse or a trackball, by which the user can provide input to the
computer. Other kinds of devices can be used to provide for
interaction with a user as well; for example, input from the user
can be received in any form, including acoustic, speech, or tactile
input.
[0034] Embodiments of the subject matter described in this
specification can be implemented in a computing system that
includes a back end component, e.g., as a data server, or that
includes a middleware component, e.g., an application server, or
that includes a front end component, e.g., a client computer having
a graphical user interface or a Web browser through which a user
can interact with an implementation of the subject matter described
is this specification, or any combination of one or more such back
end, middleware, or front end components. The components of the
system can be interconnected by any form or medium of digital data
communication, e.g., a communication network. Examples of
communication networks include a local area network ("LAN") and a
wide area network ("WAN"), e.g., the Internet.
[0035] The computing system can include clients and servers. A
client and server are generally remote from each other and
typically interact through a communication network. The
relationship of client and server arises by virtue of computer
programs running on the respective computers and having a
client-server relationship to each other.
[0036] While this specification contains many specifics, these
should not be construed as limitations on the scope of any
invention or of what may be claimed, but rather as descriptions of
features that may be specific to particular embodiments of
particular inventions. Certain features that are described in this
specification in the context of separate embodiments can also be
implemented in combination in a single embodiment. Conversely,
various features that are described in the context of a single
embodiment can also be implemented in multiple embodiments
separately or in any suitable subcombination. Moreover, although
features may be described above as acting in certain combinations
and even initially claimed as such, one or more features from a
claimed combination can in some cases be excised from the
combination, and the claimed combination may be directed to a
subcombination or variation of a subcombination.
[0037] Similarly, while operations are depicted in the drawings in
a particular order, this should not be understood as requiring that
such operations be performed in the particular order shown or in
sequential order, or that all illustrated operations be performed,
to achieve desirable results. In certain circumstances,
multitasking and parallel processing may be advantageous. Moreover,
the separation of various system components in the embodiments
described above should not be understood as requiring such
separation in all embodiments, and it should be understood that the
described program components and systems can generally be
integrated together in a single software product or packaged into
multiple software products.
[0038] Although a few embodiments have been described in detail
above, other modifications are possible. Other embodiments may be
within the scope of the following claims.
[0039] It may be emphasized that the above-described embodiments,
particularly any "preferred" embodiments, are merely possible
examples of implementations, merely set forth for a clear
understanding of the principles of the disclosure. Many variations
and modifications may be made to the above-described embodiments of
the disclosure without departing substantially from the spirit and
principles of the disclosure. All such modifications and variations
are intended to be included herein within the scope of this
disclosure and the present disclosure and protected by the
following claims.
* * * * *